In our continuing series of “Interview with a security professional” we have the pleasure of having Bruce Schneier who will answer some questions posed by the members.

Question

At what stage does encryption strength become a national security issue?

Bruce’s answer

It always has been. It was during World War II. It was in the beginning of the computer age. It has been through the Cold War, and it is today. All through that time, major national governments have had large agencies designing cryptographic systems and breaking the systems of other countries. This is unlikely to change in the future.

Question

Recently you mentioned that you feel ISP's should be held liable for bad network traffic such as; viruses, spam, and the such. How would you propose this be done? Lastly, what would you say to those who say this is no different then holding car manufacturers liable for drunk drivers?

Bruce’s answer

Most of the criticism of this idea has come from people who don't understand liability, or -- at least -- approach it from a computer-science perspective. Liability is not all or nothing. It's much more complicated than that, and much more human. Liabilities are apportioned by the court system. And while it is certainly unreasonable to assume that ISPs should be 100% liable for bad network traffic, it is also unreasonable to assume that they should be 0%. Somewhere between 0% and 100% is the proper liability, and that's the kind of thing that courts are good at figuring out. They'll also decide if it is different than holding car manufacturers liable for drunk drivers, and how much different.
No, this is not an algorithmic answer. And yes, it will change over time. But it's the way our society ensures that good products and services are available to consumers.

Question

Do you believe ICANN should continue to hold a prominent role in the governance of the Internet core routers?

Bruce’s answer

Sorry. I have no opinion on this matter.

Question

What do you see as the biggest threats to home users in the near future?

Bruce’s answer

Crime.The biggest threat on the Internet right now is crime. It's the biggest threat to businesses, and it's the biggest threat to home users as well. If the crime rate increases much more, people will stop doing things online.

Question

What is your opinion about staying anonymous online? Is it really possible legally/illegally?

Bruce’s answer

Anonymity is not an all-or-nothing thing; there are degrees. Right now I can get an anonymous e-mail account on one of a variety of systems and be anonymous to my friends. That won't protect me from the police, though. As your adversary gets more skilled, better funded, and more able to apply legal pressure, anonymity is harder. I don't know if it is possible to have true anonymity against even the most skilled adversaries anymore.

Question

Do you forsee the development of a cryptographically secure hash any time in the near future? And does you anticipate finishing nist_hash_works_4 your own based on Phelix?

Bruce’s answer

There are lots of cryptographically secure hash functions right now: SHA-256, Whirlpool, SHA-1 with twice the number of rounds, etc. Designing a secure hash function is easy; designing one that has good performance is hard. Right now we need serious research into the design of hash functions. I hope to contribute to that research, both by cryptanalyzing other hash functions and through the design of a hash function based on Phelix.

Question

As privacy seems to be currently eroding away, with the requests for wiretapping VOIP calls, logging of Internet usage, and so forth, do you think that eventually the general public will realize and start to demand that privacy back?

Bruce’s answer

If you think predicting mathematical advances in cryptography is hard, try predicting changes in public opinion. I have no idea if people will start demanding more privacy instead of accepting less. Certainly public opinion swings back and forth through history, so it's reasonable to assume that it will swing back towards privacy. But when, and how... I have no idea.

On behalf of the forums and myself I would like to sincerely thank Mr. Bruce Schneier for taking the time to answer the questions posed by our members.

This interview is copyright 2006 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.